Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
pairing_points.hpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: complete, auditors: [Luke], commit: }
3// external_1: { status: not started, auditors: [], commit: }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#pragma once
8#include "barretenberg/commitment_schemes/pairing_points.hpp"
9#include "barretenberg/common/assert.hpp"
10#include "barretenberg/stdlib/primitives/curves/bn254.hpp"
11#include "barretenberg/stdlib/primitives/field/field.hpp"
12#include "barretenberg/stdlib/primitives/field/field_conversion.hpp"
13#include "barretenberg/stdlib_circuit_builders/mega_circuit_builder.hpp"
14#include "barretenberg/transcript/transcript.hpp"
15#include <type_traits>
16
17namespace bb::stdlib::recursion {
18
26template <typename Curve> struct PairingPoints {
27 using Builder = typename Curve::Builder;
28 using Group = Curve::Group;
29 using Fq = Curve::BaseField;
30 using Fr = Curve::ScalarField;
31
32 // Number of bb::fr field elements used to represent pairing points in public inputs
33 static constexpr size_t PUBLIC_INPUTS_SIZE = PAIRING_POINTS_SIZE;
34
35 uint32_t tag_index = 0; // Index of the tag for tracking pairing point aggregation
36
37 Group& P0() { return _points[0]; }
38 Group& P1() { return _points[1]; }
39 const Group& P0() const { return _points[0]; }
40 const Group& P1() const { return _points[1]; }
41
42 bool is_populated() const { return has_data_; }
43 bool is_default() const { return is_default_; }
44
45 PairingPoints() = default;
46
47 PairingPoints(const Group& p0, const Group& p1)
48 : _points{ p0, p1 }
49 , has_data_(true)
50 {
51 Builder* builder = validate_context<Builder>(p0.get_context(), p1.get_context());
52 if (builder != nullptr) {
53 tag_index = builder->pairing_points_tagging.create_pairing_point_tag();
54 }
55
56#ifndef NDEBUG
57 bb::PairingPoints<typename Curve::NativeCurve> native_pp(P0().get_value(), P1().get_value());
58 info("Are Pairing Points with tag ", tag_index, " valid? ", native_pp.check() ? "true" : "false");
59#endif
60 }
61
65 static PairingPoints reconstruct_from_public(
66 const std::span<const stdlib::field_t<Builder>, PUBLIC_INPUTS_SIZE>& limbs)
67 {
68 using Codec = StdlibCodec<stdlib::field_t<Builder>>;
69 constexpr size_t GROUP_SIZE = Codec::template calc_num_fields<Group>();
70 Group p0 = Codec::template deserialize_from_fields<Group>(limbs.template subspan<0, GROUP_SIZE>());
71 Group p1 = Codec::template deserialize_from_fields<Group>(limbs.template subspan<GROUP_SIZE, GROUP_SIZE>());
72 return PairingPoints(p0, p1);
73 }
74
75 // Iterator support (used by validate_context to extract Builder* from the contained group elements)
76 auto begin() { return _points.begin(); }
77 auto end() { return _points.end(); }
78 auto begin() const { return _points.begin(); }
79 auto end() const { return _points.end(); }
80
96 static PairingPoints aggregate_multiple(std::vector<PairingPoints>& pairing_points, bool handle_edge_cases = true)
97 {
98 size_t num_points = pairing_points.size();
99 BB_ASSERT_GT(num_points, 0UL, "Must provide at least one PairingPoints for aggregation");
100 if (num_points == 1) {
101 return pairing_points[0];
102 }
103
104 std::vector<Group> first_components;
105 first_components.reserve(num_points);
106 std::vector<Group> second_components;
107 second_components.reserve(num_points);
108 for (const auto& points : pairing_points) {
109 first_components.emplace_back(points.P0());
110 second_components.emplace_back(points.P1());
111 }
112
113 // Fiat-Shamir: hash all points for binding, but only need n-1 challenges
114 StdlibTranscript<Builder> transcript{};
115 std::vector<std::string> labels;
116 labels.reserve(num_points - 1); // Only need n-1 challenges
117 for (size_t idx = 0; auto [first, second] : zip_view(first_components, second_components)) {
118 transcript.add_to_hash_buffer("first_component_" + std::to_string(idx), first);
119 transcript.add_to_hash_buffer("second_component_" + std::to_string(idx), second);
120 // Generate challenges for points 1..n-1 (skip the first point)
121 if (idx > 0) {
122 labels.emplace_back("pp_aggregation_challenge_" + std::to_string(idx));
123 }
124 idx++;
125 }
126
127 std::vector<Fr> challenges = transcript.template get_challenges<Fr>(labels);
128
129 // Aggregate: P_agg = P₀ + r₁·P₁ + r₂·P₂ + ... + rₙ₋₁·Pₙ₋₁
130 Group P0;
131 Group P1;
132
133 // For MegaCircuitBuilder (Goblin): batch_mul optimizes constant scalar 1 (uses add instead of mul)
134 // so we can include all points in a single batch_mul with scalar [1, r₁, r₂, ..., rₙ₋₁]
135 // For UltraCircuitBuilder: no optimization for witness point × constant(1), so keep first point separate
136 if constexpr (std::is_same_v<Builder, MegaCircuitBuilder>) {
137 // Single batch_mul for all points (efficient for Goblin with constant scalar 1)
138 std::vector<Fr> scalars;
139 scalars.reserve(num_points);
140 scalars.push_back(Fr(1)); // Optimized by Goblin: add instead of mul
141 scalars.insert(scalars.end(), challenges.begin(), challenges.end());
142
143 P0 = Group::batch_mul(first_components, scalars);
144 P1 = Group::batch_mul(second_components, scalars);
145 } else {
146 // Use first point as base, then batch_mul remaining points
147 std::vector<Group> remaining_first(first_components.begin() + 1, first_components.end());
148 std::vector<Group> remaining_second(second_components.begin() + 1, second_components.end());
149
150 P0 = first_components[0];
151 P1 = second_components[0];
152
153 P0 += Group::batch_mul(remaining_first, challenges, 128, handle_edge_cases);
154 P1 += Group::batch_mul(remaining_second, challenges, 128, handle_edge_cases);
155 }
156
157 PairingPoints aggregated_points(P0, P1);
158
159 // Merge tags
160 Builder* builder = P0.get_context();
161 if (builder != nullptr) {
162 for (const auto& points : pairing_points) {
163 builder->pairing_points_tagging.merge_pairing_point_tags(aggregated_points.tag_index, points.tag_index);
164 }
165 }
166
167 return aggregated_points;
168 }
169
177 void aggregate(PairingPoints const& other)
178 {
179 BB_ASSERT(other.has_data_, "Cannot aggregate null pairing points.");
180
181 // If LHS is empty, simply set it equal to the incoming pairing points
182 if (!this->has_data_ && other.has_data_) {
183 *this = other;
184 return;
185 }
186 // Use transcript to hash all four points to derive a binding challenge
187 StdlibTranscript<Builder> transcript{};
188 transcript.add_to_hash_buffer("Accumulator_P0", P0());
189 transcript.add_to_hash_buffer("Accumulator_P1", P1());
190 transcript.add_to_hash_buffer("Aggregated_P0", other.P0());
191 transcript.add_to_hash_buffer("Aggregated_P1", other.P1());
192 auto recursion_separator =
193 transcript.template get_challenge<typename Curve::ScalarField>("recursion_separator");
194 is_default_ = false; // After aggregation, points are no longer default
195 // If Mega Builder is in use, the EC operations are deferred via Goblin.
196 // batch_mul with constant scalar 1 is optimal here (Goblin uses add instead of mul).
197 if constexpr (std::is_same_v<Builder, MegaCircuitBuilder>) {
198 // Goblin: batch_mul with constant scalar 1 uses add instead of mul
199 P0() = Group::batch_mul({ P0(), other.P0() }, { 1, recursion_separator });
200 P1() = Group::batch_mul({ P1(), other.P1() }, { 1, recursion_separator });
201 } else {
202 // Ultra: 128-bit scalar mul to save gates
203 Group point_to_aggregate = other.P0().scalar_mul(recursion_separator, 128);
204 P0() += point_to_aggregate;
205 point_to_aggregate = other.P1().scalar_mul(recursion_separator, 128);
206 P1() += point_to_aggregate;
207 }
208
209 // Merge the tags in the builder
210 Builder* builder = P0().get_context();
211 if (builder != nullptr) {
212 builder->pairing_points_tagging.merge_pairing_point_tags(this->tag_index, other.tag_index);
213 }
214
215#ifndef NDEBUG
216 bb::PairingPoints<typename Curve::NativeCurve> native_pp(P0().get_value(), P1().get_value());
217 info("Are aggregated Pairing Points with tag ", tag_index, " valid? ", native_pp.check() ? "true" : "false");
218#endif
219 }
220
228 uint32_t set_public(Builder* ctx = nullptr)
229 {
230 BB_ASSERT(this->has_data_, "Calling set_public on empty pairing points.");
231 if (is_default_) {
232 Builder* builder = validate_context<Builder>(ctx, P0().get_context(), P1().get_context());
233 BB_ASSERT(builder != nullptr, "set_public on default pairing points requires a builder context.");
234 return set_default_to_public(builder);
235 }
236 Builder* builder = validate_context<Builder>(ctx, P0().get_context(), P1().get_context());
237 builder->pairing_points_tagging.set_public_pairing_points();
238 uint32_t start_idx = P0().set_public();
239 P1().set_public();
240 return start_idx;
241 }
242
246 void fix_witness()
247 {
248 BB_ASSERT(this->has_data_, "Calling fix_witness on empty pairing points.");
249 P0().fix_witness();
250 P1().fix_witness();
251 }
252
257 bool check() const
258 {
259 BB_ASSERT(this->has_data_, "Calling check on empty pairing points.");
260 bb::PairingPoints<typename Curve::NativeCurve> native_pp(P0().get_value(), P1().get_value());
261 return native_pp.check();
262 }
263
271 static uint32_t set_default_to_public(Builder* builder)
272 {
273 builder->pairing_points_tagging.set_public_pairing_points();
274 // Infinity is represented as (0,0) in biggroup. Directly add zero limbs as public inputs, bypassing bigfield's
275 // self_reduce.
276 uint32_t start_idx = static_cast<uint32_t>(builder->num_public_inputs());
277 for (size_t i = 0; i < PUBLIC_INPUTS_SIZE; i++) {
278 uint32_t idx = builder->add_public_variable(bb::fr(0));
279 builder->fix_witness(idx, bb::fr(0));
280 }
281 return start_idx;
282 }
283
288 static PairingPoints construct_default()
289 {
290 Group P0(Fq(0), Fq(0), /*assert_on_curve=*/false);
291 Group P1(Fq(0), Fq(0), /*assert_on_curve=*/false);
292 PairingPoints pp(P0, P1);
293 pp.is_default_ = true;
294 return pp;
295 }
296
297 private:
298 std::array<Group, 2> _points;
299 bool has_data_ = false;
300 bool is_default_ = false; // True for default (infinity) pairing points from construct_default()
301};
302
303template <typename NCT> std::ostream& operator<<(std::ostream& os, PairingPoints<NCT> const& as)
304{
305 return os << "P0: " << as.P0() << "\n"
306 << "P1: " << as.P1() << "\n"
307 << "is_populated: " << as.is_populated() << "\n"
308 << "tag_index: " << as.tag_index << "\n";
309}
310
311} // namespace bb::stdlib::recursion
BB_ASSERT
#define BB_ASSERT(expression,...)
Definition assert.hpp:70
BB_ASSERT_GT
#define BB_ASSERT_GT(left, right,...)
Definition assert.hpp:113
bb::BaseTranscript
Common transcript class for both parties. Stores the data for the current round, as well as the manif...
Definition transcript.hpp:41
bb::BaseTranscript::add_to_hash_buffer
void add_to_hash_buffer(const std::string &label, const T &element)
Adds an element to the transcript.
Definition transcript.hpp:318
bb::PairingPoints
An object storing two EC points that represent the inputs to a pairing check.
Definition pairing_points.hpp:22
bb::PairingPoints::check
bool check() const
Verify the pairing equation e(P0, [1]₂) · e(P1, [x]₂) = 1.
Definition pairing_points.hpp:77
bb::curve::Grumpkin::Group
typename grumpkin::g1 Group
Definition grumpkin.hpp:62
bb::stdlib::field_t
Definition field.hpp:46
zip_view
Definition zip_view.hpp:166
pairing_points.hpp
info
#define info(...)
Definition log.hpp:93
builder
AluTraceBuilder builder
Definition alu.test.cpp:124
mega_circuit_builder.hpp
bb::stdlib::recursion::operator<<
std::ostream & operator<<(std::ostream &os, PairingPoints< NCT > const &as)
Definition pairing_points.hpp:303
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
std::to_string
std::string to_string(bb::avm2::ValueTag tag)
Definition tagged_value.cpp:402
field_conversion.hpp
StdlibCodec for in-circuit (recursive) verification transcript handling.
bb::stdlib::recursion::PairingPoints
An object storing two EC points that represent the inputs to a pairing check.
Definition pairing_points.hpp:26
bb::stdlib::recursion::PairingPoints::PUBLIC_INPUTS_SIZE
static constexpr size_t PUBLIC_INPUTS_SIZE
Definition pairing_points.hpp:33
bb::stdlib::recursion::PairingPoints::check
bool check() const
Perform native pairing check on the witness values.
Definition pairing_points.hpp:257
bb::stdlib::recursion::PairingPoints::set_default_to_public
static uint32_t set_default_to_public(Builder *builder)
Set the witness indices for the default (infinity) pairing points to public.
Definition pairing_points.hpp:271
bb::stdlib::recursion::PairingPoints::aggregate_multiple
static PairingPoints aggregate_multiple(std::vector< PairingPoints > &pairing_points, bool handle_edge_cases=true)
Aggregate multiple PairingPoints using random linear combination.
Definition pairing_points.hpp:96
bb::stdlib::recursion::PairingPoints::reconstruct_from_public
static PairingPoints reconstruct_from_public(const std::span< const stdlib::field_t< Builder >, PUBLIC_INPUTS_SIZE > &limbs)
Reconstruct PairingPoints from public input limbs.
Definition pairing_points.hpp:65
bb::stdlib::recursion::PairingPoints::aggregate
void aggregate(PairingPoints const &other)
Aggregate another PairingPoints into this one via random linear combination.
Definition pairing_points.hpp:177
bb::stdlib::recursion::PairingPoints::construct_default
static PairingPoints construct_default()
Construct default pairing points (both at infinity).
Definition pairing_points.hpp:288
bb::stdlib::recursion::PairingPoints::fix_witness
void fix_witness()
Record the witness values of pairing points' coordinates in the selectors.
Definition pairing_points.hpp:246
bb::stdlib::recursion::PairingPoints::set_public
uint32_t set_public(Builder *ctx=nullptr)
Set the witness indices for the pairing points to public.
Definition pairing_points.hpp:228
bb::stdlib::recursion::PairingPoints::PairingPoints
PairingPoints(const Group &p0, const Group &p1)
Definition pairing_points.hpp:47